Software programs have been developed in the past to provide security for computing sessions during which tasks are executed by computing devices that involve the gathering and use of a user's personal information. For example, computer systems have been developed whereby a user can access a system through a computing device, by which to engage in self-service banking activities. These sessions typically include a log-in process at the onset of the computing session, during which a user is required to input credentials into the system that the system can use to verify the identity of the user and then authorizing the user to access sensitive information from the system based on this verification. Sensitive personal banking information can include stored bank account data maintained for that user by her bank.
The development of self-service banking technologies originated with the development of automated teller machines (ATMs) in the late 1960s. These specialized computing devices made it possible for customers of banks to perform personal transactions with their banks electronically virtually twenty-four hours a day, and seven days a week. At first, these ATMs were directly coupled to the customer's physical bank branch. In short order, they became highly interconnected through intra-bank networks, and then through interbank networks that now permit customers to perform such transactions from any ATM around the world. Thus, customers can perform various activities involving the exchange of highly sensitive and personal banking information with their respective banks, such as withdrawing and depositing funds, making account balance inquires and transferring funds between the customer's various accounts. Notwithstanding the convenience of such commercial terminals, users must still physically travel to an ATM location, and must share those specialized computing terminals with other users.
With the advent of personal computers and the Internet, financial institutions began providing secure web sites with which customers could interact over the Internet through a browser program executed on a customer's personal computer. This technology enabled customers to perform many of the same types of banking transactions from their home or office, using a personal computer, that they were previously performing using an ATM. Such activities include making balance inquiries, viewing monthly statements and summaries of transactions, and even paying their bills through the electronic transfer of funds.
The convenience of online banking has been further increased with the explosion of free public access Wi-Fi Internet hotspots, now physically located in all types of businesses that are open to the public. These hotspots make it possible for bank customers, various mobile personal computing devices, to conduct sensitive banking activities over the Internet from hotels, restaurants, grocery stores, cafes, mails, airports, etc.
Perhaps the biggest revolution in self-service electronic banking has come about only recently, with the now nearly ubiquitous availability of affordable smartphones. Smartphones are capable of running sophisticated software applications such as banking applications, and can reach the Internet through the aforementioned public wireless hotspots, as well as through the mobile telephone network to which the user is subscribed. As a result, customers are now able to access their bank to conduct highly sensitive and personal banking activities, including using the smartphones to sense and gather sensitive personal data for purposes such as depositing physical checks, from virtually anywhere in the world.
While convenience to the user has greatly increased in direct relation to the degree to which they have become increasingly untethered from their physical banks, their vulnerability to those who would seek to steal their money and their sensitive personal information has increased commensurately. While the security of ATMs has been successfully breached in numerous ways, including physical attacks on users late at night, card skimming and shoulder surfing, sensitive banking activities conducted through ATMs are still not as vulnerable as when those activities are performed using personal computing devices. This is largely because ATMs have been historically provided either by the banks themselves, or by trusted third party vendors, and thus the user cannot easily alter the software running on ATM machines. Moreover, because the ATM is not operationally mobile, the link that couples it to the ATM network is dedicated and hardwired to the banking network. This close-coupling and control of ATMs makes this type of computing device relatively secure. Owners of personal computing devices such as smartphones, however, are able to easily access or otherwise alter the operational state of the ATM in many ways. For example, users are able to choose from and download to their personal computing devices a myriad of software applications available from third party developers.
The use of personal computers (PC) for home banking marked the advent of using computing devices owned and controlled by the users themselves, and not the banks, to connect to the banking system and perform sensitive activities. Because the user's bank is not able to control what additional software is loaded onto each user's PC, whether the user is using a secure firewall or an anti-virus software program, on what links the user clicks, or what emails a user opens, the potential for compromising the integrity of the device connecting to the bank's system is so much greater when the computing device used is owned and controlled by the user. Moreover, the use of unsecure public Wi-Fi hotspots with laptops, notebooks and tablet computing devices, as well as the use of near-field wireless device connections such as Bluetooth and NFC, has further opened up secure computing activities such as mobile banking to proximity attacks as well.
But it is the more recent explosion in the use of smartphones for performing sensitive tasks such as mobile banking that has created a veritable avalanche in potential security attacks during the performance of such sensitive activities. First, like the other forms of personal computing devices discussed above, they are owned by, and therefore under the complete control of, the user. Second, the user is free to download virtually unlimited types of software apps and services, mostly developed sold by third party vendors. These apps can perform any number of tasks such as, for example, playing games like Angry Birds, turning on the LED flash of a smartphone's camera for use as a flashlight, and even providing different forms of keyboards that the user finds more desirable than the keyboard provided with the smartphone as purchased. Finally, it is the availability of various data gathering devices installed on smartphones such as cameras, microphones, GPS locating devices, scanning device drivers, port drivers such as USB, as well as proximity interfaces such as Bluetooth and NFC (near field communication chips) that are being used to sense and gather sensitive personal data while executing tasks such as mobile banking, that make personal computing devices such as smartphones so vulnerable to security attacks. These various data gathering devices are often accessible to any software application program or service running on the personal computing device, and that makes them particularly easy to exploit.
FIG. 1A illustrates a high-level representation of as known ATM banking environment 102. The ATM environment 102 is relatively secure. Often, the ATM machine 104 is locked in its own room, and a user must use his/her banking card to gain access to the ATM environment 102 first, with the door locking others from the environment 102 once the user is inside. The ATM environment 102 commonly includes a closed circuit television (CCTV) camera 118 that permits real time and stored monitoring of the entire ATM environment 102. A visible and/or audio alarm 116 is also sometimes provided.
Another camera 106 is also typically provided to capture image data of the user during each transaction. The ATM 104 commonly includes a display 110, a keyboard 108 through which users provide credentials and make menu selections shown on display 110, a card reader 112 for reading the user's personal debit and/or credit card, and cash and receipt dispenser 114. Newer ATMs may also include scanners for reading cash and checks for deposit.
ATM 104 is then typically coupled, through a dedicated link 120, directly to the servers of the data center 122 serving bank 124. Those of skill in the art will appreciate that ATM 102 is directly and physically coupled to the bank data center 122 through dedicated link 120, and it is relatively difficult to hack for purposes of intercepting a user's secure banking transaction data when it is being transmitted between the ATM 104 and the bank data center 122. The software operating system is not readily accessible to a user, so the user is not able to download or install software that may corrupt the secure operating state of the ATM machine.
Thus, sensor devices of the ATM 104, such as camera 106 and/or a deposit scanner 114 as previously discussed, as well as keyboard 108, card reader 112 and display 110 are all under the control of relatively fixed ATM software (the typical user does not have any easy way to alter the software running on the machine). Therefore, it less likely that the information collected by these data gathering sensor components will be intercepted by corrupted software running on the ATM 104. While not as secure as working directly with an employee of a bank in person, the ATM 104 provides a relatively safe and secure system through which to engage in personal banking transactions.
The security risks that are present for mobile banking transactions using personal computing devices such as tablets and smartphones are potentially far more insidious and difficult to control. FIG. 1B represents a high-level illustration of an example of a current mobile banking infrastructure. A user's smartphone 152 is coupled to the bank data center 122 over the Internet 164 via the smartphone's Wi-Fi connection 160 and/or the 3G/4G telephone network 162, to which the user subscribes. With reference to the front view 152a of smartphone 152, an unsecure banking software application 150 is stored on smartphone 152. The unsecure software banking “app” 150 is launched by the user and executed by the smartphone 152, to initiate what the user and the bank 124 believe to be a secure computing session for purposes of engaging in sensitive banking transactions.
Unsecure banking application 150 establishes connectivity with the bank data center 122 using either Wi-Fi connection 160 or telephone network 162, and prompts the user through display 154 to enter user credentials (e.g. user ID and password) using displayed keyboard 156. Once the user credentials are verified and the user is logged into the bank data center 122, the unsecure banking app 150 presents a menu of options to the user on the display 154, by which the user may engage in self-service banking activities with the bank data center 122 of the user's bank 124. These activities will likely involve the gathering and transfer of sensitive and personal information between the smartphone 152 (or other personal computing device) and the bank data center 122.
The primary difference between the ATM banking system of FIG. 1A and the mobile banking system of FIG. 1B is that, unlike the ATM terminal 104, the mobile smartphone 152 is owned and controlled by the user. The user's smartphone is loaded with a large number of other software apps 166 that were either provided with the smartphone 152, or that were downloaded and stored on the smartphone 152 by the user.
These software apps 166 are often developed, not by the suppliers of smartphones, but by independent developers through API's provided by the phone suppliers. Some quality and security control is attempted by the phone suppliers to ensure that these software apps are legitimate and non-malicious. For example, they may require pre-approval of each developer, and may require that such applications be sold through a pre-approved distribution web site such as the Google Play store (for applications running on smartphones using the Android operating system (OS)). The applications can be digitally signed to ensure authenticity.
But even these measures fall far short of ensuring that such software applications are not performing malicious actions under the cover of being a legitimate software application. Moreover, smartphones can be hacked or jail-broken with the knowledge and participation of the user to permit the downloading of pirated copies of the software applications. A user may opt for such bootleg copies to avoid paying full-price for the application, or to expand the functionality of the smartphone beyond what would otherwise be permitted by the original state of the smartphone when purchased.
Software apps can be written to freely access the various data gathering devices of the smartphone 152 through the device drivers for those devices. Access to these devices can be made without the knowledge of the user. The app may have legitimate need to access devices in carrying out its apparent and advertised purpose, or may have no legitimate need for access to such devices. Data gathering devices can include, for example, cameras 158 and 170 for sensing and gathering image information, microphones used for sensing and gathering sound data such as speech (not shown), GPS locating devices for gathering coordinate data used to geo-locate the phone using satellites, device drivers for data gathering devices such as scanners and USB ports, etc. Near field communication devices such as NFC and Bluetooth are also used to sense and gather personal information, such as for purposes of making payments through proximity with point of sale terminals.
These apps can also be maliciously programmed to connect to the Internet, to access sensitive personal data such as contacts and pictures, and they can be programmed to intercept keystrokes on the keyboard and to take screen shots to scrape data from the display of a personal computing device such as a smartphone. Moreover, because most operating systems permit multiple apps and services to exist simultaneously, many applications and services are able to run in the background even while a sensitive app, such as a mobile banking application, is running in the foreground. Background apps and services may be suspended while the foreground application is being executed, but they can be waiting in the wings for the first opportunity to force themselves to the foreground and become active once again.
The detection of software applications malicious intent is difficult, because there are many legitimate apps accessing the various sensors, drivers and services of the personal computing device. Thus, what might appear on the surface to be a legitimate flashlight application for example, and which may function perfectly as a flashlight app, may also be capable of accessing the microphone, or one or all of the cameras for purposes of eavesdropping on the user's activities, without the user ever realizing it until it's too late. Because software apps 166 can also be legitimately programmed to access the Internet 164 through Wi-Fi connection 160, they can also be programmed to send sensitive information, captured through eavesdropping activities, over the Internet 164 to some undisclosed site for malicious purposes such as identity theft, theft of passwords and theft of funds.
Those of skill in the art will recognize that this vulnerability is particularly severe for smartphones and other personal computing devices that employ a multi-threaded operating system (OS), which allows many applications to run concurrently. All mobile operating systems are multi-threaded to some degree, because the ability to run applications concurrently in the background is particularly desirable in personal computing devices such as smartphones. Such functionality allows the phone to perform functions in the background, such as polling the user's email server or displaying the current weather conditions, or alerting the user to the arrival of new email or a text, for example, while the user may be running a mobile banking application in the foreground.
One verified and demonstrated example of an application running in the background and using a data gathering device to steal a user's sensitive banking information during a mobile banking session, established through user's execution of an unsecure mobile banking application 150 using a personal computing device, is the theft of a check for deposit. In this case, a user launches a banking application on the user's smartphone 152, which connects to the data center 122 of the user's bank 124 as illustrated in FIG. 1B. The unsecure banking app 150 can display a link to the user (not shown) that when activated by the user, initiates the check deposit process. Depositing a check during a mobile banking session is typically accomplished by using the smartphone camera 170 to capture an image of the check, which the smartphone 152 then transmits to the data center 122 over the Internet 164 using either the Wi-Fi 160 or the 3G/4G 162 network connections. The unsecure banking app 150 typically instructs the user to place the check on a flat surface, and to indicate when the user has placed the check within the viewed frame of the camera 170. In response to the user being ready, the unsecure software app 150 requests access to the camera 170, captures an image of the check and then releases the camera 170 for use by other applications 166.
If one of the software apps or services 166 running in the background concurrently with the unsecure banking app 150 is intent on stealing checks intended for deposit, the application 166 can first be written to observe that the unsecure banking application 150 is actually running in the foreground while the malicious app 166 is running in the background. The malicious one of the apps 166 can be further programmed to determine when the unsecure banking application 150 has requested access to the camera 170 during the banking session, presumably to capture an image of a check or some other sensitive document. Finally, the malicious app of apps 166 further detects the moment the camera 170 is released upon completion of image capture. The malicious application can then immediately grab access to the same camera 170 and capture a second image of the check while the check is still in view of the camera. The malicious app can then access the Internet 164 through Wi-Fi interface 160 or mobile data interface 162 either immediately, or at a later time, and without knowledge of the user, send the image it took of the check to a remote site on the Internet 164. From there, the image can be used for fraudulent purposes such as conversion of the funds. Transactions similar to depositing checks, such as the uploading of gift cards for application to purchases, or capture and uploading of credit card images are also becoming popular and are subject to the same lapses in security, and particularly through a camera installed on the personal computing device.
Although banks are well-aware of the vulnerability of personal computing devices such as smartphones, smartphones now number well over 4 billion world-wide and the owners of these smartphones will continue to demand the convenience of using them to perform mobile banking. In addition, people are increasingly using personal computing devices to perform many other types of sensitive activities. For example, smartphones are now being used to transact payments while acting as digital wallets, where cash and credit card payments can be processed using the smartphone directly through the use of near field technology. These transactions can be performed without the need to physically swipe a credit and/or debit card because the phone stores and transmits this sensitive information to point of sale terminals that are programmed to read this sensitive information being transmitted by the phone.
Additionally, personal computing devices are now being used to capture and store images of important documents such as driver's licenses, social security cards, birth certificates, bank account numbers and credentials, credit cards, and the like, providing back-up in case the physical documentation is lost. Thus, a malicious software application that monitors use of the camera, as described above, could gain access to the camera immediately upon its use and quickly take an image in the hope that sensitive subject matter is still in view of the camera.